Posts: 74 Threads: 0 Joined: N/A November 12, 2022 at 6:50 PM Good luck everyone. Posts: 4 Threads: 0 Joined: N/A November 12, 2022 at 7:51 PM any progress? Posts: 7 Threads: 0 Joined: N/A November 12, 2022 at 8:00 PM there's a python webserver with /forgot, /reset, and /escalate directories. also I see that it's using varnish-cache 6.2 so it might be vulnerable to CVE-2021-36740. full port scan pulled up nothing but ssh and the webserver Posts: 46 Threads: 0 Joined: N/A November 12, 2022 at 8:10 PM (November 12, 2022, 08:00 PM)movfuscate Wrote: there's a python webserver with /forgot, /reset, and /escalate directories. also I see that it's using varnish-cache 6.2 so it might be vulnerable to CVE-2021-36740. full port scan pulled up nothing but ssh and the webserver but how you do ssh to webserver??? Posts: 7 Threads: 0 Joined: N/A November 12, 2022 at 8:19 PM (November 12, 2022, 08:10 PM)pingu27 Wrote: (November 12, 2022, 08:00 PM)movfuscate Wrote: there's a python webserver with /forgot, /reset, and /escalate directories. also I see that it's using varnish-cache 6.2 so it might be vulnerable to CVE-2021-36740. full port scan pulled up nothing but ssh and the webserver
but how you do ssh to webserver??? Scanning the box with nmap shows port 22 is open, you can't authenticate to it unless you know the password or have the rsa key. Posts: 46 Threads: 0 Joined: N/A November 12, 2022 at 8:25 PM (November 12, 2022, 08:19 PM)movfuscate Wrote: (November 12, 2022, 08:10 PM)pingu27 Wrote: (November 12, 2022, 08:00 PM)movfuscate Wrote: there's a python webserver with /forgot, /reset, and /escalate directories. also I see that it's using varnish-cache 6.2 so it might be vulnerable to CVE-2021-36740. full port scan pulled up nothing but ssh and the webserver
but how you do ssh to webserver???
Scanning the box with nmap shows port 22 is open, you can't authenticate to it unless you know the password or have the rsa key. i know that. i thought you got a shell.... Posts: 30 Threads: 0 Joined: N/A November 12, 2022 at 8:32 PM Apart from bruteforcing the basic auth with robert-dev-10090 (from source code) I don't know what to do.
No XSS for CSRF, no flask token generation since we don't even have a token to spoof, no SQLi so far, fuzzing didn't got me anything juicy... Hitting the wall atm Posts: 21 Threads: 0 Joined: N/A November 12, 2022 at 8:57 PM (November 12, 2022, 08:32 PM)annehathaway Wrote: Apart from bruteforcing the basic auth with robert-dev-10090 (from source code) I don't know what to do.
No XSS for CSRF, no flask token generation since we don't even have a token to spoof, no SQLi so far, fuzzing didn't got me anything juicy... Hitting the wall atm Have you done brute force yet? it worked? Posts: 30 Threads: 0 Joined: N/A November 12, 2022 at 8:59 PM (November 12, 2022, 08:57 PM)may123a Wrote: (November 12, 2022, 08:32 PM)annehathaway Wrote: Apart from bruteforcing the basic auth with robert-dev-10090 (from source code) I don't know what to do.
No XSS for CSRF, no flask token generation since we don't even have a token to spoof, no SQLi so far, fuzzing didn't got me anything juicy... Hitting the wall atm
Have you done brute force yet? it worked? I quitted bf pretty sure that's not that way... Also that's weird we don't have a domain.htb to update /etc/hosts and check for a vhost. Pretty limited tbh Posts: 8 Threads: 0 Joined: N/A November 12, 2022 at 9:03 PM https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoningI can get the token and reset the robert-dev- account (gives "Success")but trying to login still gives invalid credsIt might be http smuggling with the post request to /reset after getting a token but when I do that I break the box ... everything gives 500 error |
